Stuxnet
| Latest= | Status=Active | Connection= The Ordos Laptop | Purpose=Weaponized malware | Owned= | Purpose= | Location= }} Stuxnet is a computer worm, which is a program which can spread without the aid of being attached to another. Its goal was to spy and control industrial systems which are supposed to monitor and govern physical processes in real-time. More specifically, the worm targeted the Programmable Logic Controller (PLC, essentially a computer on a circuit board, which has all the necessary hardware and software spread out as microchips across the board. It is supposed to gather sensor data and automate industrial-type tasks such as regulating flow rate to maintain pressure and temperature controls) by way of the project files used by SCADA systems (supervisory control and data acquisition, its job is to oversee the these PLC(s), which could be easily distributed across a plant and/or multiple sites, through the received PLC sensor data). By changing the project files employed by SCADA software, you can reprogram the PLC(s) to do as you please. With respect to case of Iran, this "bad code" had the ability to look for a specific PLC model (the model check is required due to the variations of machine level instructions across different PLC devices). Once the target device has been identified and infected, Stuxnet gains the control to intercept all data flowing into or out of the PLC, including the ability to tamper with that data (It is called a man-in-the-middle attack, where industrial process control sensor signals are faked so an infected system does not shut down due to detected abnormal behavior). Stuxnet attacked the SCADA systems by utilizing zero-day exploits (hackers take advantage of undocumented vulnerabilities) to install a rootkit (programs that conceal malicious code’s access to files, folders and registry keys, or manifest entries which enumerate a computer's hardware, software as well as authorized users ) to the underlying Windows OS which in turn logs in to the SCADA's database and steals design and control files. The "virus" would only be active when it encountered configurations that met certain criteria: *1) SCADA system manufactured by Siemens Industry Automation Division *2) Attached Slave Variable-frequency drive PLC (equipment used to control the speed of machinery by varying motor input frequency and voltage) *3) Variable-frequency drive must be manufactured by either one of two specific vendors, Vacon of Finland or Fararo Paya of Iran *4) Frequency of the attached motors must spin between 807 Hz and 1210 Hz, which is typically associated certain types of pumps or gas centrifuges, especially those used at Nuclear Fuel Enrichment Plants. When all those conditions were met, the "virus" will install a rootkit, to cover its tracks, by masking the changes in rotational speed from monitoring systems. It periodically modifies the set rotor speed according to some predetermined formula. This haphazard variation induced excessive vibrations or distortions that would destroy the centrifuge (gas centrifuge is used to separate isotopes of an element, in this case Uranium, so that the desired U-235 can be harvested; if the aluminum tubes which held the isotopes, same atomic element but different number of neutrons, was spun uncontrollably, the stresses would cause unwanted expansion of the tubes which would often lead to misalignment of precisely-fitted components). The reason behind this attack was that Uranium-235, is one of those materials, employed in dual-use technologies, that is, it has civil and military applications. The concern was Iran could have easily used U-235 to build a weapon, instead of providing cheap energy. Whoever designed the "virus" knew Iran acquired Siemens equipment in secret, in direct contravention of European export controls. It is theorized that the "virus" was spread by USB drives intentionally strewn in public Internet cafes near the enrichment facilities where it would eventually land. The only reason it became public knowledge, was due to a comedy of errors: an accidental spreading beyond its intended target, a "virus" update failure, & the piggybacking of the"virus" onto an engineer's personal notebook which was connected to an infected centrifuge, who then took it to his residence in order to connect to the Public Internet. It was also reported that around mid-July of 2010, before any widespread awareness on the matter,one of the two leading mailing-lists which covered industrial-security, was disabled due to a distributed-denial -of -service attack on the server which hosted the list. This event and the assassination of three Iranian nuclear scientists several months later, implies an orchestrated effort to remove any remote chance that a viable weapon's program could exist in the rogue-nation. With respect to Stuxnet there were a few other salient features which were found: *1) SCADA system manufactured by Siemens Industry Automation Division *2) Attached Slave Variable-frequency drive PLC (equipment used to control the speed of machinery by varying motor input frequency and voltage) *3) Variable-frequency drive must be manufactured by either one of two specific vendors, Vacon of Finland or Fararo Paya of Iran *4) Frequency of the attached motors must spin between 807 Hz and 1210 Hz, which is typically associated certain types of pumps or gas centrifuges, especially those used at Nuclear Fuel Enrichment Plants. References *http://en.wikipedia.org/wiki/Stuxnet Category:Technology Category:Real-world References